SPAM/Mailman mystery

[JanKrohn]

I have set up Mailman to have all list members moderated (default_member_moderation), and just one email address to be allowed to post (accept_these_nonmembers). So I'm actually "misusing" Mailman to operate a newsletter instead a mailing list.

Yesterday, with these settings, a spam message came through (one of the notorious bitcoin blackmail type) and was distributed to 3600 recipients. The sender address is not a list member. Therefore, it should not have been accepted by Mailman. (Mystery #1).

Secondly, the spam score was 10.0. However, SpamAssassin is configured to delete messages over the threshold of 6.0. (Mystery #2).

I would really like to prevent this from happening again, and fix the hole in the configuration. But I'm clueless how it happened in the first place.

I do have the headers of the spam message after it has been distributed through Mailman, one from Naver, and one from outlook.com. They clearly show that the message came from somewhere outside (which is good; so my server is not compromised).

Here the Outlook headers:

- Removed Please review Guide To Opening An Effective Forums Thread -

Any insights with the issue would be extremely welcome...

 

[cPanelLauren]

HI @JanKrohn

Have you checked the exim logs for this email transaction? I feel like that would be the most useful bit in understanding how this came to occur. If you add them here just replace any identifying information.

 

[JanKrohn]

- Removed Please review Guide To Opening An Effective Forums Thread -

I had replaced my domain with mydomain.net, my server domain with myserver.com, the spammer domain with spammer.hr, my cPanel user with myuser, and the last two blocks of my IP address with xxx.xxx. So what's the problem?

HI @JanKrohn

Have you checked the exim logs for this email transaction? I feel like that would be the most useful bit in understanding how this came to occur. If you add them here just replace any identifying information.

Thanks, very helpful. I just looked at my exim log for the first time ever! The whole incident has more than 11,000 lines of log. I'll just copy the first few lines until outbound delivery starts.

2019-01-31 00:19:30 1gp04n-0007q6-44 H=win2.example.com [213.147.xxx.xx]:2079 Warning: Message has been scanned: no virus or other harmful content was found
2019-01-31 00:19:31 1gp04n-0007q6-44 H=win2.example.com [213.147.xxx.xx]:2079 Warning: "SpamAssassin as myuser detected message as spam (10.0)"
2019-01-31 00:19:31 1gp04n-0007q6-44 <= [email protected] H=win2.example.com [213.147.xxx.xx]:2079 P=esmtp S=5098 [email protected] T="This account has been hacked! Change your password right now!" for [email protected]
2019-01-31 00:19:31 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gp04n-0007q6-44
2019-01-31 00:19:31 1gp04n-0007q6-44 => win-iso <[email protected]> R=mailman_virtual_router T=mailman_virtual_transport
2019-01-31 00:19:31 1gp04n-0007q6-44 Completed
2019-01-31 00:19:31 SMTP connection from win2.example.com [213.147.xxx.xx]:2079 closed by QUIT
2019-01-31 00:19:32 SMTP connection from [::1]:60382 (TCP/IP connection count = 1)
2019-01-31 00:19:32 SMTP connection identification H=localhost A=::1 P=60382 U=mailman ID=995 S=mailman B=identify_local_connection
2019-01-31 00:19:32 1gp04q-0007vr-R2 H=(cvps173830114556.myserver.com) [::1]:60382 Warning: Message has been scanned: no virus or other harmful content was found
2019-01-31 00:19:32 1gp04q-0007vr-R2 <= [email protected] H=(cvps173830114556.myserver.com) [::1]:60382 P=esmtp S=6055 [email protected] T="[win-iso] ***SPAM*** This account has been hacked! Change your\n password right now!" for <list of recipients... outbound distribution starting NOW!>

 

[cPanelLauren]

Hi @JanKrohn

Congratulations on successfully utilizing the exim logs to troubleshoot an issue!

Looking at this and at the moderated portion of your initial message I believe I have some further questions:

1. If you go to cPanel>>Email>>Mailing lists under access what is the Access Status of the list you have?
2. If you go from the mailing list UI above to -> Manage next to the mailing list then -> Privacy Options -> Sender Filters -> What is set for Action to take for postings from non-members for which no explicit action is defined.

As far as why the initial post was moderated, we try not to include any domain names except for examples in posts, so the Hotmail/MS info is most likely why @Infopro moderated it, though he may have further reasoning for that as well.

 

[Infopro]

There was just too much information in the email samples including text of the emails themselves, to leave on the forum.

 

[JanKrohn]

The same message was distributed over my mailing list a total of three times now. I've made some modifications in the configuration since then.

​

1. 
   
   
   • If you go to cPanel>>Email>>Mailing lists under access what is the Access Status of the list you have?

​

All affected lists are public (as they should be, as they're open to all my visitors).
​

1. If you go from the mailing list UI above to -> Manage next to the mailing list then -> Privacy Options -> Sender Filters -> What is set for Action to take for postings from non-members for which no explicit action is defined.

That setting is "reject" for all of my lists, both before and after re-configuration.
From the mail log I could see thousands of spamming attempts, but only these bitcoin scam mails are being ignored by the configuration.

As a workaround, I have restricted the message size to 1 kB so that everything is moderated now, banned all non-members that were allowed to post, and configured pre-authorization for a few selected members. Seems to be working, but it's not a long-term solution.

The spam score of 10.0 being ignored by the deletion threshold is another issue...
(Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam score that meets or exceeds the Auto-Delete Threshold Score (6).)​

 

[cPanelLauren]

Hi @JanKrohn

While I understand why you'd want them available to your users, you might rethink some of the settings for private/public:

We can use my test server an example:

Edit Privacy Options: “[email protected]”


You can adjust this mailing list’s privacy settings below.

Include this list in Mailman’s public advertisement of this server’s mailing lists.

Keep this list’s archives private.

Require only email confirmation for new subscribers.
Require only administrator approval for new subscribers.
Require both administrator approval and email confirmation for new subscribers.

For a public list the following are checked:

Include this list in Mailman’s public advertisement of this server’s mailing lists.
Require only email confirmation for new subscribers.

That's entirely up to you though.

From the mail log I could see thousands of spamming attempts, but only these bitcoin scam mails are being ignored by the configuration.

This is because of the header forgery that's being done. I'm curious also if setting the following will stop it from occurring as well:

EXPERIMENTAL: Rewrite From: header to match actual sender
If you enabled this option, the From: header will be rewritten to be the email address of the actual message sender. If you choose the "remote" option, only messages that are being sent to remote destinations will be affected.

The spam score of 10.0 being ignored by the deletion threshold is another issue...
(Auto-Delete is enabled. This will permanently delete all new email messages with a calculated spam score that meets or exceeds the Auto-Delete Threshold Score (6).)

That's intriguing, I tried to test this to see if my mail would also be accepted as if this is replicable it's worthy of an internal case but I was unable to do so. Please see below:

2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: "SpamAssassin as myuser detected message as spam (1002.7)"
2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: Message has been scanned: no virus or other harmful content was found
2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<[email protected]> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (80)."

I sent this to an email list which I created for testing purposes and confirmed it doesn't get forwarded on to my users. Which version of cPanel are you using? The only differences I see are that

1. I wasn't able to use something that would be potential header forgery
2. We could be using different versions of cPanel - I tested on v78.0.6

 

[JanKrohn]

For a public list the following are checked:

Include this list in Mailman’s public advertisement of this server’s mailing lists.
Require only email confirmation for new subscribers.

I use the same settings.

This is because of the header forgery that's being done. I'm curious also if setting the following will stop it from occurring as well:

Interesting setting. Never noticed it before. It should be good to enable in any case.

That's intriguing, I tried to test this to see if my mail would also be accepted as if this is replicable it's worthy of an internal case but I was unable to do so. Please see below:

2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: "SpamAssassin as myuser detected message as spam (1002.7)"
2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 Warning: Message has been scanned: no virus or other harmful content was found
2019-02-05 10:45:57 1gr3rA-0009Lr-1v H=mail-lf1-f49.google.com [209.85.167.49]:35607 X=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<[email protected]> rejected after DATA: "The mail server detected your message as spam and has prevented delivery (80)."

I sent this to an email list which I created for testing purposes and confirmed it doesn't get forwarded on to my users. Which version of cPanel are you using? The only differences I see are that

1. I wasn't able to use something that would be potential header forgery
2. We could be using different versions of cPanel - I tested on v78.0.6

I'm still on v76. If it will be fixed on v78, then that's great. I was planning to upgrade anyway.

 

[cPanelLauren]

I'm still on v76. If it will be fixed on v78, then that's great. I was planning to upgrade anyway.

I can't guarantee that, I just happened to have a 78 server to test on, I haven't tested this on 76 but I didn't have a server with a live domain available to test on (without doing local delivery)

 

[JanKrohn]

Thanks for your help so far. With all the configuration changes in place, I think it's now safe to wait and see what happens.
If a spam mail from a non-member gets caught in moderation within the next month or so, then I'd appreciate help with further investigation.

If not, then I think the matter is closed (and I will lift some of the moderation settings in my lists again).

 

[cPanelLauren]

Hi @JanKrohn

Sounds great! Let us know though if it continues to occur.


Thanks!